Western Digital April 2023: My Cloud Offline, Signing Certificates Out the Door

Threat Intelligence

Western Digital took its My Cloud service offline for almost two weeks in April 2023 after an ALPHV-affiliated actor exfiltrated customer data and code-signing certificates. A walkthrough of the chain and the longer-tail signing-key problem.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 21, 2024 · 8 min read

On April 2, 2023 Western Digital posted that My Cloud, the consumer service that backs millions of WD-branded NAS devices, was offline. The outage lasted nearly two weeks. Behind it was a March intrusion attributed to actors associated with the ALPHV / BlackCat ecosystem. Customer data was taken. So were code-signing certificates, which is the part of the story with the longest tail.

Timeline

1. March 26, 2023: Western Digital detects unauthorized access to its internal systems. Initial response begins.
2. April 2, 2023: My Cloud is taken offline. WD discloses publicly that customer data was accessed.
3. April 13, 2023: My Cloud begins phased restoration. Customers are forced through password resets.
4. April 28, 2023: WD confirms customer database exfiltration: names, billing and shipping addresses, hashed passwords, partial credit card data. They also confirm signing certificates were taken.
5. May 5, 2023: WD revokes the affected signing certificates and pushes firmware updates that change the trust roots.
6. Through Q3 2023: incremental disclosures expand the customer impact estimate to roughly 10 million accounts.

Root cause

WD's detailed public root cause was limited. What the incident reveals structurally is that the same internal network held customer-facing service data and product code-signing infrastructure. Whether the entry was a phishing chain, an exposed admin interface, or a vendor pivot, the lateral movement crossed a boundary that should not have existed.

Code-signing keys belong in HSMs with hardware-bound issuance. If a service account on a corp-network laptop can reach them, the design is the bug.

Attacker actions

The actor cluster moved laterally through WD's environment, established persistence, exfiltrated the customer database, and pulled signing certificates. There was no encryption ransomware deployment; the leverage was the data and the signing material. Subsequent reports indicated negotiation attempts, including the disclosure of an executive video call screenshot to apply pressure. The objective profile matches a double-extortion campaign that opted out of the encryption stage.

Detection signals

• Access to internal signing infrastructure from accounts or hosts that have no business there. Build systems, signing services, and certificate issuance should generate alerts on every administrative action.
• Large database exports from customer-facing services to internal staging hosts. Cardinality and volume anomalies are tractable detections.
• Outbound exfiltration patterns over weeks rather than days. Modern actors slow-walk transfers to fly under volumetric alerts.
• Use of legitimate dual-use tools: AnyDesk, Splashtop, RClone, Cobalt Strike beacons disguised as monitoring agents.

Lessons

• Inventory every signing key in the organization. App stores, code signing, container registries, package signing. Map each to a custodian and a rotation plan.
• Move all signing operations into an HSM-backed signing service. Hardware-bound issuance breaks the take-the-key-and-go model.
• Segment crown-jewel networks. Signing infrastructure should not be reachable from a sales engineer's laptop on a Wednesday.
• Practice key revocation. Customers' devices that trust your old certificate need an updated trust root. The update mechanism is the long-tail piece WD spent the rest of the year on.

Western Digital eventually restored service and pushed updated trust roots. The customer database loss is the headline; the signing certificate loss is the quiet ongoing risk. If an old-trusting device exists in the field, an attacker holding the original key has a window. Designing trust-update paths into shipping products is the lesson defenders ten years from now will still be working.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.